Analysis

Category Package Started Completed Duration Options Log
FILE Unpacker 2020-06-05 13:56:47 2020-06-05 14:17:48 1261 seconds Show Options Show Log
route = tor
2020-05-13 09:30:34,547 [root] INFO: Date set to: 20200605T14:14:17, timeout set to: 200
2020-06-05 14:14:17,093 [root] DEBUG: Starting analyzer from: C:\tmplodztmkc
2020-06-05 14:14:17,093 [root] DEBUG: Storing results at: C:\uSCtlH
2020-06-05 14:14:17,093 [root] DEBUG: Pipe server name: \\.\PIPE\auuNuDj
2020-06-05 14:14:17,093 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-05 14:14:17,093 [root] INFO: Analysis package "Unpacker" has been specified.
2020-06-05 14:14:17,093 [root] DEBUG: Trying to import analysis package "Unpacker"...
2020-06-05 14:14:17,140 [root] DEBUG: Imported analysis package "Unpacker".
2020-06-05 14:14:17,140 [root] DEBUG: Trying to initialize analysis package "Unpacker"...
2020-06-05 14:14:17,140 [root] DEBUG: Initialized analysis package "Unpacker".
2020-06-05 14:14:17,203 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-05 14:14:17,203 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-05 14:14:17,203 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-05 14:14:17,218 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-05 14:14:17,218 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-05 14:14:17,249 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-05 14:14:17,249 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-05 14:14:17,265 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-05 14:14:17,265 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-05 14:14:17,281 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-05 14:14:17,281 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-05 14:14:17,281 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-05 14:14:17,281 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-05 14:14:17,296 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-05 14:14:17,296 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-05 14:14:17,296 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-05 14:14:17,296 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-05 14:14:17,296 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-05 14:14:17,296 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-05 14:14:17,312 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-05 14:14:17,312 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-05 14:14:17,453 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-05 14:14:17,453 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-05 14:14:17,453 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-05 14:14:17,453 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-05 14:14:17,468 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-05 14:14:17,468 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-05 14:14:17,468 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-05 14:14:17,468 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-05 14:14:17,468 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-05 14:14:17,468 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-05 14:14:17,468 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-05 14:14:17,468 [root] DEBUG: Started auxiliary module Browser
2020-06-05 14:14:17,468 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-05 14:14:17,484 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-05 14:14:17,484 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-05 14:14:17,484 [root] DEBUG: Started auxiliary module Curtain
2020-06-05 14:14:17,484 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-05 14:14:17,484 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-05 14:14:17,484 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-05 14:14:17,484 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-05 14:14:18,375 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-05 14:14:18,375 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-05 14:14:18,390 [root] DEBUG: Started auxiliary module DigiSig
2020-06-05 14:14:18,390 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-05 14:14:18,390 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-05 14:14:18,390 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-05 14:14:18,406 [root] DEBUG: Started auxiliary module Disguise
2020-06-05 14:14:18,406 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-05 14:14:18,406 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-05 14:14:18,406 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-05 14:14:18,406 [root] DEBUG: Started auxiliary module Human
2020-06-05 14:14:18,406 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-05 14:14:18,421 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-05 14:14:18,421 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-05 14:14:18,421 [root] DEBUG: Started auxiliary module Procmon
2020-06-05 14:14:18,421 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-05 14:14:18,437 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-05 14:14:18,437 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-05 14:14:18,437 [root] DEBUG: Started auxiliary module Screenshots
2020-06-05 14:14:18,437 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-05 14:14:18,437 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-05 14:14:18,437 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-05 14:14:18,437 [root] DEBUG: Started auxiliary module Sysmon
2020-06-05 14:14:18,437 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-05 14:14:18,437 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-05 14:14:18,437 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-05 14:14:18,437 [root] DEBUG: Started auxiliary module Usage
2020-06-05 14:14:18,437 [root] INFO: Analyzer: Package modules.packages.Unpacker does not specify a DLL option
2020-06-05 14:14:18,437 [root] INFO: Analyzer: Package modules.packages.Unpacker does not specify a DLL_64 option
2020-06-05 14:14:18,437 [root] INFO: Analyzer: Package modules.packages.Unpacker does not specify a loader option
2020-06-05 14:14:18,437 [root] INFO: Analyzer: Package modules.packages.Unpacker does not specify a loader_64 option
2020-06-05 14:14:18,468 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\COVID-19994872372632.exe" with arguments "" with pid 4632
2020-06-05 14:14:18,468 [lib.api.process] INFO: Monitor config for process 4632: C:\tmplodztmkc\dll\4632.ini
2020-06-05 14:14:18,484 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:14:18,484 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:14:18,484 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:14:18,484 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\PsmIGdQ.dll, loader C:\tmplodztmkc\bin\dpnxrLv.exe
2020-06-05 14:14:18,546 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\auuNuDj.
2020-06-05 14:14:18,546 [root] DEBUG: Loader: Injecting process 4632 (thread 4596) with C:\tmplodztmkc\dll\PsmIGdQ.dll.
2020-06-05 14:14:18,546 [root] DEBUG: Process image base: 0x00400000
2020-06-05 14:14:18,546 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\PsmIGdQ.dll.
2020-06-05 14:14:18,546 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 14:14:18,546 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\PsmIGdQ.dll.
2020-06-05 14:14:18,562 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4632
2020-06-05 14:14:20,656 [lib.api.process] INFO: Successfully resumed process with pid 4632
2020-06-05 14:14:20,781 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 14:14:20,796 [root] DEBUG: Auto-unpacking of payloads enabled.
2020-06-05 14:14:20,796 [root] DEBUG: Process dumps disabled.
2020-06-05 14:14:20,796 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 14:14:20,796 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 14:14:20,796 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4632 at 0x6f450000, image base 0x400000, stack from 0x186000-0x190000
2020-06-05 14:14:20,812 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\COVID-19994872372632.exe".
2020-06-05 14:14:20,859 [root] INFO: Disabling sleep skipping.
2020-06-05 14:14:20,859 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x76de0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x76e4b5f0, Wow64PrepareForException: 0x0
2020-06-05 14:14:20,859 [root] INFO: Disabling sleep skipping.
2020-06-05 14:14:20,875 [root] INFO: Disabling sleep skipping.
2020-06-05 14:14:20,875 [root] INFO: Disabling sleep skipping.
2020-06-05 14:14:20,875 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x2b0000
2020-06-05 14:14:20,875 [root] DEBUG: UnpackerInit: Debugger initialised.
2020-06-05 14:14:20,875 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00400000.
2020-06-05 14:14:20,875 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions: EntryPoint 0x14c8, Entropy 6.070933e+00
2020-06-05 14:14:20,875 [root] DEBUG: UnpackerInit: Adding main image base to tracked regions.
2020-06-05 14:14:20,875 [root] INFO: loaded: b'4632'
2020-06-05 14:14:20,875 [root] INFO: Loaded monitor into process with pid 4632
2020-06-05 14:14:20,984 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:14:20,984 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:14:20,984 [root] DEBUG: ProcessImageBase: EP 0x000014C8 image base 0x00400000 size 0x0 entropy 6.070933e+00.
2020-06-05 14:14:20,984 [root] DEBUG: ProtectionHandler: Adding region at 0x003D0000 to tracked regions.
2020-06-05 14:14:20,984 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x003D0000.
2020-06-05 14:14:20,984 [root] DEBUG: AddTrackedRegion: New region at 0x003D0000 size 0x6000 added to tracked regions.
2020-06-05 14:14:21,000 [root] DEBUG: ProtectionHandler: Address: 0x003D0000 (alloc base 0x003D0000), NumberOfBytesToProtect: 0x6000, NewAccessProtection: 0x20
2020-06-05 14:14:21,000 [root] DEBUG: ProtectionHandler: New code detected at (0x003D0000), scanning for PE images.
2020-06-05 14:14:21,000 [root] DEBUG: DumpPEsInRange: Scanning range 0x3d0000 - 0x3d6000.
2020-06-05 14:14:21,000 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3d0000-0x3d6000.
2020-06-05 14:14:21,000 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003D0000 - 0x003D6000.
2020-06-05 14:14:21,015 [root] INFO: ('dump_file', 'C:\\uSCtlH\\CAPE\\4632_02114205562020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\COVID-19994872372632.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\COVID-19994872372632.exe;?0x003D0000;?', ['4632'], 'CAPE')
2020-06-05 14:14:21,140 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\uSCtlH\CAPE\4632_02114205562020 (size 0x5161)
2020-06-05 14:14:21,140 [root] DEBUG: ProtectionHandler: dumped memory (sub)region at 0x003D0000, size 0x6000
2020-06-05 14:14:21,156 [root] DEBUG: DLL loaded at 0x73220000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-06-05 14:14:21,234 [root] DEBUG: ProtectionHandler: Address 0x003D0000 already in tracked region at 0x003D0000, size 0x6000
2020-06-05 14:14:21,249 [root] DEBUG: ProtectionHandler: Address: 0x003D0000 (alloc base 0x003D0000), NumberOfBytesToProtect: 0xa000, NewAccessProtection: 0x20
2020-06-05 14:14:21,249 [root] DEBUG: ProtectionHandler: Increased region size at 0x003D0000 to 0xa000.
2020-06-05 14:14:21,249 [root] DEBUG: ProtectionHandler: New code detected at (0x003D0000), scanning for PE images.
2020-06-05 14:14:21,249 [root] DEBUG: DumpPEsInRange: Scanning range 0x3d0000 - 0x3da000.
2020-06-05 14:14:21,249 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3d0000-0x3da000.
2020-06-05 14:14:21,249 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003D0000 - 0x003DA000.
2020-06-05 14:14:21,265 [root] INFO: ('dump_file', 'C:\\uSCtlH\\CAPE\\4632_9107528022114205562020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\COVID-19994872372632.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\COVID-19994872372632.exe;?0x003D0000;?', ['4632'], 'CAPE')
2020-06-05 14:14:21,359 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\uSCtlH\CAPE\4632_9107528022114205562020 (size 0x9600)
2020-06-05 14:14:21,359 [root] DEBUG: ProtectionHandler: dumped memory (sub)region at 0x003D0000, size 0xa000
2020-06-05 14:14:21,390 [root] DEBUG: DLL loaded at 0x6F3D0000: C:\Windows\system32\asycfilt (0x14000 bytes).
2020-06-05 14:14:21,437 [root] DEBUG: DLL loaded at 0x74130000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 14:14:21,453 [root] DEBUG: DLL loaded at 0x74040000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 14:14:21,578 [root] DEBUG: DLL loaded at 0x73390000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-05 14:14:21,593 [root] DEBUG: DLL unloaded from 0x00400000.
2020-06-05 14:14:34,500 [root] DEBUG: Allocation: 0x00530000 - 0x00538000, size: 0x8000, protection: 0x40.
2020-06-05 14:14:34,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:14:34,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:14:34,500 [root] DEBUG: ProcessImageBase: EP 0x000014C8 image base 0x00400000 size 0x0 entropy 6.248533e+00.
2020-06-05 14:14:34,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003D0000.
2020-06-05 14:14:34,500 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00530000, size: 0x8000.
2020-06-05 14:14:34,500 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00530000.
2020-06-05 14:14:34,515 [root] DEBUG: AddTrackedRegion: New region at 0x00530000 size 0x8000 added to tracked regions.
2020-06-05 14:14:34,515 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00530000, TrackedRegion->RegionSize: 0x8000, thread 4596
2020-06-05 14:14:34,515 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 4596 type 1 at address 0x00530000, size 2 with Callback 0x6f46a080.
2020-06-05 14:14:34,515 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00530000
2020-06-05 14:14:34,531 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 4596 type 1 at address 0x0053003C, size 4 with Callback 0x6f469cc0.
2020-06-05 14:14:34,531 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0053003C
2020-06-05 14:14:34,531 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00530000 (size 0x8000).
2020-06-05 14:14:34,531 [root] DEBUG: DLL unloaded from 0x76FA0000.
2020-06-05 14:14:34,531 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00404F50 (thread 4596)
2020-06-05 14:14:34,531 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00530000.
2020-06-05 14:14:34,531 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x530000: 0xeb.
2020-06-05 14:14:34,531 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-06-05 14:14:34,546 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00404F50 (thread 4596)
2020-06-05 14:14:34,546 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0053003C.
2020-06-05 14:14:34,546 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x459eec11 (at 0x0053003C).
2020-06-05 14:14:34,546 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x00530000 already exists for thread 4596 (process 4632), skipping.
2020-06-05 14:14:34,546 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00530000.
2020-06-05 14:14:34,546 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00530000 (thread 4596)
2020-06-05 14:14:34,546 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x00530000 (allocation base 0x00530000).
2020-06-05 14:14:34,546 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x530000 - 0x538000.
2020-06-05 14:14:34,546 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x00530000.
2020-06-05 14:14:34,546 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x0053003C.
2020-06-05 14:14:34,546 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x00530000.
2020-06-05 14:14:34,546 [root] DEBUG: ShellcodeExecCallback: About to scan region for a PE image (base 0x00530000, size 0x8000).
2020-06-05 14:14:34,546 [root] DEBUG: DumpPEsInRange: Scanning range 0x530000 - 0x538000.
2020-06-05 14:14:34,562 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x530000-0x538000.
2020-06-05 14:14:34,593 [root] INFO: ('dump_file', 'C:\\uSCtlH\\CAPE\\4632_9452105861436205562020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\COVID-19994872372632.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\COVID-19994872372632.exe;?0x00530000;?', ['4632'], 'CAPE')
2020-06-05 14:14:34,625 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\uSCtlH\CAPE\4632_9452105861436205562020 (size 0x3297)
2020-06-05 14:14:34,625 [root] DEBUG: ShellcodeExecCallback: successfully dumped memory range at 0x00530000 (size 0x8000).
2020-06-05 14:14:34,625 [root] DEBUG: set_caller_info: Adding region at 0x00530000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 14:14:37,281 [root] INFO: Announced 32-bit process name: RegAsm.exe pid: 4892
2020-06-05 14:14:37,281 [lib.api.process] INFO: Monitor config for process 4892: C:\tmplodztmkc\dll\4892.ini
2020-06-05 14:14:37,296 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:14:37,296 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:14:37,296 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:14:37,296 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\PsmIGdQ.dll, loader C:\tmplodztmkc\bin\dpnxrLv.exe
2020-06-05 14:14:37,328 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\auuNuDj.
2020-06-05 14:14:37,328 [root] DEBUG: Loader: Injecting process 4892 (thread 4744) with C:\tmplodztmkc\dll\PsmIGdQ.dll.
2020-06-05 14:14:37,328 [root] DEBUG: Process image base: 0x002D0000
2020-06-05 14:14:37,328 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:14:37,328 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:14:37,343 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\PsmIGdQ.dll.
2020-06-05 14:14:37,343 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4892
2020-06-05 14:14:37,578 [root] INFO: Announced 32-bit process name: RegAsm.exe pid: 4892
2020-06-05 14:14:37,578 [lib.api.process] INFO: Monitor config for process 4892: C:\tmplodztmkc\dll\4892.ini
2020-06-05 14:14:37,578 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:14:37,578 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:14:37,578 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:14:37,593 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\PsmIGdQ.dll, loader C:\tmplodztmkc\bin\dpnxrLv.exe
2020-06-05 14:14:37,625 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\auuNuDj.
2020-06-05 14:14:37,625 [root] DEBUG: Loader: Injecting process 4892 (thread 4744) with C:\tmplodztmkc\dll\PsmIGdQ.dll.
2020-06-05 14:14:37,625 [root] DEBUG: Process image base: 0x002D0000
2020-06-05 14:14:37,625 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:14:37,640 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:14:37,640 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\PsmIGdQ.dll.
2020-06-05 14:14:37,640 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4892
2020-06-05 14:14:37,640 [root] INFO: Announced 32-bit process name: RegAsm.exe pid: 4892
2020-06-05 14:14:37,640 [lib.api.process] INFO: Monitor config for process 4892: C:\tmplodztmkc\dll\4892.ini
2020-06-05 14:14:37,656 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:14:37,656 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:14:37,656 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:14:37,656 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\PsmIGdQ.dll, loader C:\tmplodztmkc\bin\dpnxrLv.exe
2020-06-05 14:14:37,671 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\auuNuDj.
2020-06-05 14:14:37,671 [root] DEBUG: Loader: Injecting process 4892 (thread 0) with C:\tmplodztmkc\dll\PsmIGdQ.dll.
2020-06-05 14:14:37,671 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-05 14:14:37,687 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 4744, handle 0xc4
2020-06-05 14:14:37,687 [root] DEBUG: Process image base: 0x002D0000
2020-06-05 14:14:37,687 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:14:37,687 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:14:37,687 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\PsmIGdQ.dll.
2020-06-05 14:14:37,703 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4892
2020-06-05 14:14:37,703 [root] INFO: Announced 32-bit process name: RegAsm.exe pid: 4892
2020-06-05 14:14:37,703 [lib.api.process] INFO: Monitor config for process 4892: C:\tmplodztmkc\dll\4892.ini
2020-06-05 14:14:37,703 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:14:37,703 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:14:37,703 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:14:37,703 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\PsmIGdQ.dll, loader C:\tmplodztmkc\bin\dpnxrLv.exe
2020-06-05 14:14:37,734 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\auuNuDj.
2020-06-05 14:14:37,734 [root] DEBUG: Loader: Injecting process 4892 (thread 0) with C:\tmplodztmkc\dll\PsmIGdQ.dll.
2020-06-05 14:14:37,734 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-05 14:14:37,734 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 4744, handle 0xc4
2020-06-05 14:14:37,734 [root] DEBUG: Process image base: 0x002D0000
2020-06-05 14:14:37,734 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:14:37,734 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:14:37,750 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\PsmIGdQ.dll.
2020-06-05 14:14:37,750 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4892
2020-06-05 14:14:37,750 [root] INFO: Announced 32-bit process name: RegAsm.exe pid: 4892
2020-06-05 14:14:37,750 [lib.api.process] INFO: Monitor config for process 4892: C:\tmplodztmkc\dll\4892.ini
2020-06-05 14:14:37,750 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:14:37,750 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:14:37,750 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:14:37,750 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\PsmIGdQ.dll, loader C:\tmplodztmkc\bin\dpnxrLv.exe
2020-06-05 14:14:37,781 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\auuNuDj.
2020-06-05 14:14:37,781 [root] DEBUG: Loader: Injecting process 4892 (thread 4744) with C:\tmplodztmkc\dll\PsmIGdQ.dll.
2020-06-05 14:14:37,781 [root] DEBUG: Process image base: 0x002D0000
2020-06-05 14:14:37,781 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:14:37,796 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:14:37,796 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\PsmIGdQ.dll.
2020-06-05 14:14:37,796 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4892
2020-06-05 14:14:38,000 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 14:14:38,015 [root] DEBUG: Auto-unpacking of payloads enabled.
2020-06-05 14:14:38,015 [root] DEBUG: Process dumps disabled.
2020-06-05 14:14:38,015 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 14:14:38,015 [root] INFO: Disabling sleep skipping.
2020-06-05 14:14:38,015 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4892 at 0x6f450000, image base 0x2d0000, stack from 0x286000-0x290000
2020-06-05 14:14:38,078 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x76de0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x76e4b5f0, Wow64PrepareForException: 0x0
2020-06-05 14:14:38,078 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x2a0000
2020-06-05 14:14:38,078 [root] DEBUG: UnpackerInit: Debugger initialised.
2020-06-05 14:14:38,078 [root] DEBUG: set_caller_info: Adding region at 0x00050000 to caller regions list (ntdll::RtlDispatchException).
2020-06-05 14:14:38,078 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1bf4 in capemon caught accessing 0x2d1000 (expected in memory scans), passing to next handler.
2020-06-05 14:14:38,078 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x002D1000
2020-06-05 14:14:38,078 [root] DEBUG: AddTrackedRegion: GetEntropy failed.
2020-06-05 14:14:38,078 [root] DEBUG: AddTrackedRegion: New region at 0x002D0000 size 0x1000 added to tracked regions: EntryPoint 0x73377cef, Entropy 0.000000e+00
2020-06-05 14:14:38,078 [root] DEBUG: UnpackerInit: Adding main image base to tracked regions.
2020-06-05 14:14:38,078 [root] INFO: loaded: b'4892'
2020-06-05 14:14:38,078 [root] INFO: Loaded monitor into process with pid 4892
2020-06-05 14:14:38,093 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 14:14:38,093 [root] DEBUG: DLL loaded at 0x03F80000: C:\tmplodztmkc\dll\PsmIGdQ (0xd5000 bytes).
2020-06-05 14:14:38,093 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-05 14:14:38,093 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-05 14:14:38,093 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-05 14:14:38,109 [root] DEBUG: set_caller_info: Adding region at 0x000B0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 14:14:38,109 [root] DEBUG: DLL loaded at 0x03F80000: C:\tmplodztmkc\dll\PsmIGdQ (0xd5000 bytes).
2020-06-05 14:14:38,125 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-05 14:14:38,125 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-05 14:14:38,125 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-05 14:14:38,125 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-05 14:14:38,125 [root] DEBUG: DLL unloaded from 0x03F80000.
2020-06-05 14:14:38,140 [root] DEBUG: set_caller_info: Adding region at 0x000C0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 14:14:38,140 [root] DEBUG: DLL loaded at 0x03F80000: C:\tmplodztmkc\dll\PsmIGdQ (0xd5000 bytes).
2020-06-05 14:14:38,156 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-05 14:14:38,156 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-05 14:14:38,156 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-05 14:14:38,156 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-05 14:14:38,156 [root] DEBUG: DLL unloaded from 0x03F80000.
2020-06-05 14:14:38,156 [root] DEBUG: set_caller_info: Adding region at 0x000D0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 14:14:38,171 [root] DEBUG: DLL loaded at 0x03F80000: C:\tmplodztmkc\dll\PsmIGdQ (0xd5000 bytes).
2020-06-05 14:14:38,171 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-05 14:14:38,171 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-05 14:14:38,171 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-05 14:14:38,187 [root] DEBUG: set_caller_info: Adding region at 0x002F0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 14:14:41,734 [root] DEBUG: DLL loaded at 0x73690000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-06-05 14:14:41,750 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1436
2020-06-05 14:14:41,750 [lib.api.process] INFO: Monitor config for process 1436: C:\tmplodztmkc\dll\1436.ini
2020-06-05 14:14:41,750 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:14:41,750 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:14:41,765 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:14:41,765 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmplodztmkc\dll\RdpbJtV.dll, loader C:\tmplodztmkc\bin\gtJiPcKR.exe
2020-06-05 14:14:41,781 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\auuNuDj.
2020-06-05 14:14:41,781 [root] DEBUG: Loader: Injecting process 1436 (thread 0) with C:\tmplodztmkc\dll\RdpbJtV.dll.
2020-06-05 14:14:41,796 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFDF000 Local PEB 0x000007FFFFFDE000 Local TEB 0x000007FFFFFD7000: The operation completed successfully.
2020-06-05 14:14:41,796 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-05 14:14:41,796 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-05 14:14:41,796 [root] DEBUG: Failed to inject DLL C:\tmplodztmkc\dll\RdpbJtV.dll.
2020-06-05 14:14:41,796 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 1436, error: 4294967281
2020-06-05 14:14:41,828 [root] DEBUG: DLL loaded at 0x72AB0000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-06-05 14:14:41,843 [root] DEBUG: DLL loaded at 0x72AA0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-06-05 14:14:41,859 [root] DEBUG: DLL loaded at 0x74A10000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-06-05 14:14:41,859 [root] DEBUG: DLL loaded at 0x76780000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-06-05 14:14:41,875 [root] DEBUG: DLL loaded at 0x72A40000: C:\Windows\system32\winhttp (0x58000 bytes).
2020-06-05 14:14:41,875 [root] DEBUG: DLL loaded at 0x70D00000: C:\Windows\system32\webio (0x50000 bytes).
2020-06-05 14:14:41,890 [root] DEBUG: DLL unloaded from 0x72A40000.
2020-06-05 14:14:41,906 [root] DEBUG: DLL loaded at 0x740F0000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-06-05 14:14:41,906 [root] DEBUG: DLL loaded at 0x744E0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-06-05 14:14:41,921 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-06-05 14:14:41,921 [root] DEBUG: DLL loaded at 0x72A90000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-06-05 14:14:41,921 [root] DEBUG: DLL loaded at 0x72A80000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2020-06-05 14:14:41,937 [root] DEBUG: DLL loaded at 0x70D00000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-06-05 14:14:41,937 [root] DEBUG: DLL loaded at 0x75DD0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-06-05 14:14:41,953 [root] DEBUG: DLL loaded at 0x72A70000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-06-05 14:14:41,953 [root] DEBUG: DLL loaded at 0x70CA0000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-06-05 14:14:41,953 [root] DEBUG: DLL loaded at 0x72A60000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-06-05 14:14:41,953 [root] DEBUG: DLL loaded at 0x761F0000: C:\Windows\syswow64\CRYPT32 (0x122000 bytes).
2020-06-05 14:14:41,968 [root] DEBUG: DLL loaded at 0x76AA0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-06-05 14:14:41,968 [root] DEBUG: DLL loaded at 0x72A40000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-06-05 14:14:41,984 [root] DEBUG: DLL loaded at 0x74130000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 14:14:41,984 [root] DEBUG: DLL loaded at 0x74310000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-06-05 14:14:41,984 [root] DEBUG: DLL loaded at 0x70C90000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-06-05 14:14:42,000 [root] DEBUG: DLL loaded at 0x74040000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 14:14:42,000 [root] DEBUG: DLL loaded at 0x732F0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-05 14:14:42,015 [root] DEBUG: DLL loaded at 0x70C80000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-06-05 14:14:42,312 [root] DEBUG: DLL loaded at 0x70C40000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-06-05 14:14:42,328 [root] DEBUG: DLL unloaded from 0x74310000.
2020-06-05 14:14:42,328 [root] DEBUG: DLL unloaded from 0x72A90000.
2020-06-05 14:14:42,343 [root] DEBUG: DLL loaded at 0x70C30000: C:\Windows\system32\credssp (0x8000 bytes).
2020-06-05 14:14:42,343 [root] DEBUG: DLL unloaded from 0x74130000.
2020-06-05 14:14:42,359 [root] DEBUG: DLL loaded at 0x70BE0000: C:\Windows\SysWOW64\schannel (0x41000 bytes).
2020-06-05 14:14:43,718 [root] DEBUG: DLL loaded at 0x70BA0000: C:\Windows\system32\ncrypt (0x39000 bytes).
2020-06-05 14:14:43,718 [root] DEBUG: DLL loaded at 0x74430000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-05 14:14:43,718 [root] DEBUG: DLL loaded at 0x70B60000: C:\Windows\SysWOW64\bcryptprimitives (0x3d000 bytes).
2020-06-05 14:14:43,734 [root] DEBUG: DLL loaded at 0x75F10000: C:\Windows\syswow64\WINTRUST (0x2f000 bytes).
2020-06-05 14:14:43,750 [root] DEBUG: DLL loaded at 0x70B40000: C:\Windows\system32\GPAPI (0x16000 bytes).
2020-06-05 14:14:43,781 [root] DEBUG: DLL loaded at 0x70B20000: C:\Windows\system32\cryptnet (0x1d000 bytes).
2020-06-05 14:14:43,781 [root] DEBUG: DLL loaded at 0x74B60000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-06-05 14:14:43,781 [root] DEBUG: DLL loaded at 0x70B10000: C:\Windows\system32\SensApi (0x6000 bytes).
2020-06-05 14:14:43,796 [root] DEBUG: DLL loaded at 0x70AB0000: C:\Windows\system32\WINHTTP (0x58000 bytes).
2020-06-05 14:14:43,796 [root] DEBUG: DLL loaded at 0x70A60000: C:\Windows\system32\webio (0x50000 bytes).
2020-06-05 14:14:43,796 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-05 14:14:43,812 [root] DEBUG: DLL unloaded from 0x76FA0000.
2020-06-05 14:14:44,828 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157', '', False, 'files')
2020-06-05 14:14:44,859 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157', '', False, 'files')
2020-06-05 14:14:44,875 [root] DEBUG: DLL unloaded from 0x70B20000.
2020-06-05 14:14:44,953 [root] DEBUG: DLL unloaded from 0x76FA0000.
2020-06-05 14:14:45,796 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D', '', False, 'files')
2020-06-05 14:14:45,812 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D', '', False, 'files')
2020-06-05 14:14:45,828 [root] DEBUG: DLL unloaded from 0x70B20000.
2020-06-05 14:14:45,843 [root] DEBUG: DLL unloaded from 0x76FA0000.
2020-06-05 14:14:45,843 [root] DEBUG: DLL unloaded from 0x76FA0000.
2020-06-05 14:14:46,453 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771', '', False, 'files')
2020-06-05 14:14:46,484 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771', '', False, 'files')
2020-06-05 14:14:46,500 [root] DEBUG: DLL unloaded from 0x70B20000.
2020-06-05 14:14:46,734 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\928BEEFA609053F205E5FDD769FADAE9_87B0E007497F364B73B12596DD699E93', '', False, 'files')
2020-06-05 14:14:46,750 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\928BEEFA609053F205E5FDD769FADAE9_87B0E007497F364B73B12596DD699E93', '', False, 'files')
2020-06-05 14:14:46,812 [root] DEBUG: DLL unloaded from 0x70AB0000.
2020-06-05 14:14:46,812 [root] DEBUG: DLL unloaded from 0x70AB0000.
2020-06-05 14:14:46,812 [root] DEBUG: DLL unloaded from 0x70B20000.
2020-06-05 14:14:46,812 [root] DEBUG: DLL unloaded from 0x70B20000.
2020-06-05 14:14:47,671 [root] DEBUG: DLL unloaded from 0x76FA0000.
2020-06-05 14:14:47,796 [root] WARNING: Unable to open termination event for pid 4632.
2020-06-05 14:14:47,796 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DFF35CEC3BB9D885C9.TMP', '', False, 'files')
2020-06-05 14:14:47,875 [root] INFO: ('dump_file', 'C:\\uSCtlH\\CAPE\\4632_2828576591338205562020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\COVID-19994872372632.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\COVID-19994872372632.exe;?0x003D0000;?', ['4632'], 'CAPE')
2020-06-05 14:14:48,546 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\928BEEFA609053F205E5FDD769FADAE9_87B0E007497F364B73B12596DD699E93', '', False, 'files')
2020-06-05 14:14:48,562 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\928BEEFA609053F205E5FDD769FADAE9_87B0E007497F364B73B12596DD699E93', '', False, 'files')
2020-06-05 14:14:48,640 [root] DEBUG: DLL unloaded from 0x70B20000.
2020-06-05 14:14:48,656 [root] DEBUG: DLL unloaded from 0x76FA0000.
2020-06-05 14:14:49,687 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\928BEEFA609053F205E5FDD769FADAE9_87B0E007497F364B73B12596DD699E93', '', False, 'files')
2020-06-05 14:14:49,718 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\928BEEFA609053F205E5FDD769FADAE9_87B0E007497F364B73B12596DD699E93', '', False, 'files')
2020-06-05 14:14:49,750 [root] DEBUG: DLL unloaded from 0x70B20000.
2020-06-05 14:14:49,765 [root] DEBUG: DLL unloaded from 0x76FA0000.
2020-06-05 14:14:50,765 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\AA04AA0E1A0CA481158DB3804249026C', '', False, 'files')
2020-06-05 14:14:50,796 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\AA04AA0E1A0CA481158DB3804249026C', '', False, 'files')
2020-06-05 14:14:50,859 [root] DEBUG: DLL unloaded from 0x70B20000.
2020-06-05 14:14:51,937 [root] DEBUG: DLL unloaded from 0x74C10000.
2020-06-05 14:14:51,953 [root] DEBUG: DLL unloaded from 0x76930000.
2020-06-05 14:14:51,968 [root] DEBUG: DLL unloaded from 0x70C80000.
2020-06-05 14:14:51,984 [root] DEBUG: DLL unloaded from 0x70CA0000.
2020-06-05 14:14:53,843 [root] DEBUG: DLL unloaded from 0x76FA0000.
2020-06-05 14:14:54,750 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203', '', False, 'files')
2020-06-05 14:14:54,812 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203', '', False, 'files')
2020-06-05 14:14:54,875 [root] DEBUG: DLL unloaded from 0x70B20000.
2020-06-05 14:14:57,187 [root] DEBUG: DLL unloaded from 0x76FA0000.
2020-06-05 14:14:57,671 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F', '', False, 'files')
2020-06-05 14:14:57,687 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F', '', False, 'files')
2020-06-05 14:14:57,734 [root] DEBUG: DLL unloaded from 0x70B20000.
2020-06-05 14:15:02,000 [root] DEBUG: DLL unloaded from 0x74DF0000.
2020-06-05 14:15:30,828 [root] DEBUG: DLL unloaded from 0x70B20000.
2020-06-05 14:15:30,828 [root] DEBUG: DLL unloaded from 0x761F0000.
2020-06-05 14:15:44,875 [root] DEBUG: DLL unloaded from 0x70AB0000.
2020-06-05 14:16:22,875 [root] DEBUG: DLL unloaded from 0x70B20000.
2020-06-05 14:16:22,875 [root] DEBUG: DLL unloaded from 0x761F0000.
2020-06-05 14:16:54,000 [root] DEBUG: DLL unloaded from 0x70B20000.
2020-06-05 14:16:54,000 [root] DEBUG: DLL unloaded from 0x761F0000.
2020-06-05 14:17:40,703 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-05 14:17:40,718 [lib.api.process] ERROR: Failed to open terminate event for pid 4632
2020-06-05 14:17:40,718 [root] INFO: Terminate event set for process 4632.
2020-06-05 14:17:40,718 [lib.api.process] INFO: Terminate event set for process 4892
2020-06-05 14:17:40,718 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 4892).
2020-06-05 14:17:40,718 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:17:40,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:17:40,750 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x002D1000
2020-06-05 14:17:40,750 [root] DEBUG: ProcessImageBase: EP 0x73377CEF image base 0x002D0000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:17:40,781 [root] DEBUG: Terminate Event: Skipping dump of process 4892
2020-06-05 14:17:40,781 [lib.api.process] INFO: Termination confirmed for process 4892
2020-06-05 14:17:40,781 [root] INFO: Terminate event set for process 4892.
2020-06-05 14:17:40,781 [root] INFO: Created shutdown mutex.
2020-06-05 14:17:40,781 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 4892
2020-06-05 14:17:41,781 [root] INFO: Shutting down package.
2020-06-05 14:17:41,781 [root] INFO: Stopping auxiliary modules.
2020-06-05 14:17:41,953 [lib.common.results] WARNING: File C:\uSCtlH\bin\procmon.xml doesn't exist anymore
2020-06-05 14:17:41,953 [root] INFO: Finishing auxiliary modules.
2020-06-05 14:17:41,968 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-05 14:17:41,984 [root] INFO: Uploading files at path "C:\uSCtlH\debugger" 
2020-06-05 14:17:42,000 [root] WARNING: Monitor injection attempted but failed for process 1436.
2020-06-05 14:17:42,015 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_4 win7x64_8 KVM 2020-06-05 14:12:23 2020-06-05 14:17:48

File Details

File Name COVID-19994872372632.exe
File Size 81920 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 2009-12-26 17:19:50
MD5 811d4e97242c98a30aaab51eece7ba24
SHA1 07b70e71cc0d124020d4893e2493756305f13abe
SHA256 604cdf637c64c8862b506caa60d1a66b02f97127dc265c6943cadd126fc32f14
SHA512 50037760997c317a58a1f874bcc7aacf4fa9025d2f47ffa97a092fdc62d0ad8ccbbc115711fc97d0ea9f001c19717244d194d118f26ff05d95c1e5c3cea58242
CRC32 E76F249A
Ssdeep 1536:Vx7lDrdLtw+6ypNzwDwvTzm+S27pN7kX2zWkT:VxFrdhT6ypOE/PS2Mo
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction - unpacking
Attempts to connect to a dead IP:Port (4 unique times)
IP: 192.124.249.31:80
IP: 93.184.220.29:80
IP: 192.124.249.23:80 (United States)
IP: 93.184.221.240:80
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 4632 trigged the Yara rule 'shellcode_patterns'
Hit: PID 4632 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 4632 trigged the Yara rule 'HeavensGate'
NtSetInformationThread: attempt to hide thread from debugger
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: asycfilt.dll/FilterCreateInstance
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: VERSION.DLL/VerQueryValueA
DynamicLoader: VERSION.DLL/GetFileVersionInfoSizeA
DynamicLoader: VERSION.DLL/GetFileVersionInfoA
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange
DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoInitializeEx
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventWrite
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateInstance
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/StringFromIID
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoUninitialize
DynamicLoader: WS2_32.dll/
DynamicLoader: SHLWAPI.dll/UrlGetPartW
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpSetTimeouts
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpCrackUrl
DynamicLoader: SHLWAPI.dll/StrCmpNW
DynamicLoader: CRYPTBASE.dll/SystemFunction001
DynamicLoader: CRYPTBASE.dll/SystemFunction002
DynamicLoader: CRYPTBASE.dll/SystemFunction003
DynamicLoader: CRYPTBASE.dll/SystemFunction004
DynamicLoader: CRYPTBASE.dll/SystemFunction005
DynamicLoader: CRYPTBASE.dll/SystemFunction028
DynamicLoader: CRYPTBASE.dll/SystemFunction029
DynamicLoader: CRYPTBASE.dll/SystemFunction034
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpGetDefaultProxyConfiguration
DynamicLoader: WINHTTP.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoSetProxyBlanket
DynamicLoader: ole32.dll/ObjectStublessClient10
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegEnumKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: WINHTTP.dll/WinHttpQueryDataAvailable
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: WS2_32.dll/
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
HTTPS urls from behavior.
URL: https://rebrand.ly/ws5cd0s
CAPE extracted potentially suspicious content
COVID-19994872372632.exe: Unpacked Shellcode
COVID-19994872372632.exe: Unpacked Shellcode
COVID-19994872372632.exe: Unpacked Shellcode
Unconventionial language used in binary resources: Catalan
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 6.83, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00010000, virtual_size: 0x0000f07c
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\COVID-19994872372632.exe
Behavioural detection: Injection (Process Hollowing)
Injection: COVID-19994872372632.exe(4632) -> RegAsm.exe(4892)
Executed a process and injected code into it, probably while unpacking
Injection: COVID-19994872372632.exe(4632) -> RegAsm.exe(4892)
Behavioural detection: Injection (inter-process)
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\emissionsfo
data: C:\Users\Louise\sgnehell\Solicitudin.exe
File has been identified by 15 Antiviruses on VirusTotal as malicious
McAfee: Fareit-FST!811D4E97242C
Cylance: Unsafe
Sangfor: Malware
APEX: Malicious
Kaspersky: UDS:DangerousObject.Multi.Generic
Rising: Downloader.Guloader!1.C738 (CLOUD)
Trapmine: malicious.moderate.ml.score
SentinelOne: DFI - Suspicious PE
Endgame: malicious (high confidence)
Microsoft: PWS:Win32/Fareit.AB!MTB
ZoneAlarm: UDS:DangerousObject.Multi.Generic
ESET-NOD32: a variant of Win32/Injector.EMGX
eGambit: Unsafe.AI_Score_100%
BitDefenderTheta: Gen:[email protected]
CrowdStrike: win/malicious_confidence_80% (W)
Attempts to modify proxy settings
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Eitest

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 51.145.123.29 [VT] United Kingdom
N 3.208.218.1 [VT] United States
Y 192.124.249.23 [VT] United States
Y 13.107.42.13 [VT] United States
N 13.107.42.12 [VT] United States

DNS

Name Response Post-Analysis Lookup
rebrand.ly [VT] A 3.208.218.1 [VT] 35.171.123.77 [VT]
g41zxq.ch.files.1drv.com [VT] A 13.107.42.12 [VT] 13.107.42.12 [VT]

Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Louise\AppData\Local\Temp\COVID-19994872372632.exe.cfg
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Users\Louise\AppData\Local\Temp\~DFF35CEC3BB9D885C9.TMP
C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
C:\Windows\SysWOW64\msvbvm60.dll
C:\Users\Louise
C:\Users
C:\Users\Louise\sgnehell
C:\Windows\SysWOW64\shell32.dll
C:\Users\Louise\AppData\Local\Temp\COVID-19994872372632.exe
C:\Users\Louise\sgnehell\Solicitudin.exe
C:\Users\Louise\AppData\LocalLow
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\67F6625BC22310D5C99DDE12020DBD90
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\928BEEFA609053F205E5FDD769FADAE9_87B0E007497F364B73B12596DD699E93
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AA04AA0E1A0CA481158DB3804249026C
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\928BEEFA609053F205E5FDD769FADAE9_87B0E007497F364B73B12596DD699E93
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AA04AA0E1A0CA481158DB3804249026C
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Louise\AppData\Local\Temp\~DFF35CEC3BB9D885C9.TMP
C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
C:\Windows\SysWOW64\msvbvm60.dll
C:\Windows\SysWOW64\shell32.dll
C:\Users\Louise\AppData\Local\Temp\COVID-19994872372632.exe
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\67F6625BC22310D5C99DDE12020DBD90
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\928BEEFA609053F205E5FDD769FADAE9_87B0E007497F364B73B12596DD699E93
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AA04AA0E1A0CA481158DB3804249026C
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\928BEEFA609053F205E5FDD769FADAE9_87B0E007497F364B73B12596DD699E93
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AA04AA0E1A0CA481158DB3804249026C
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F
C:\Users\Louise\AppData\Local\Temp\~DFF35CEC3BB9D885C9.TMP
C:\Users\Louise\sgnehell\Solicitudin.exe
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\928BEEFA609053F205E5FDD769FADAE9_87B0E007497F364B73B12596DD699E93
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\928BEEFA609053F205E5FDD769FADAE9_87B0E007497F364B73B12596DD699E93
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AA04AA0E1A0CA481158DB3804249026C
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AA04AA0E1A0CA481158DB3804249026C
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\startbogstavs\Caponized9
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Tuberculomas\Coatninger
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\RegAsm.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\RegAsm.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\RegAsm.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\emissionsfo
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_CURRENT_USER\Software\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_CURRENT_USER\Software\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\52-54-00-6f-d4-05
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\SchemeDllRetrieveEncodedObjectW
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\SchemeDllRetrieveEncodedObjectW
HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
\xf318\x2ddEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
\xf318\x2ddEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
\xf318\x2ddEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
\xf318\x2ddEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000\ProfileImagePath
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableInetUnknownAuth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadNetworkName
\xd198\x29fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
\xd198\x29fEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
\xd198\x29fEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
\xd198\x29fEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
\xd198\x29fEY_CURRENT_USER\
\xedd0\x2a1EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
\x67a8\x2a0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
\xe5b0\x2a2EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
\xe5b0\x2a2EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
\xe5b0\x2a2EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
\x4198\x2a0EY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
\xf318\x2ddEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
\xf318\x2ddEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
\xf318\x2ddEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
\xf318\x2ddEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableInetUnknownAuth
\xd198\x29fEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
\xd198\x29fEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
\xd198\x29fEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
\xd198\x29fEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
\xd198\x29fEY_CURRENT_USER\
\xedd0\x2a1EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
\x67a8\x2a0EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
\xe5b0\x2a2EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
\xe5b0\x2a2EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
\xe5b0\x2a2EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
\x4198\x2a0EY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugFlags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\emissionsfo
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadNetworkName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
asycfilt.dll.FilterCreateInstance
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.NlsGetCacheUpdateCount
version.dll.VerQueryValueA
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
kernel32.dll.GetCalendarInfoW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoInitializeEx
ole32.dll.CreateBindCtx
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#320
ole32.dll.StringFromGUID2
comctl32.dll.#324
comctl32.dll.#323
advapi32.dll.RegEnumKeyW
oleaut32.dll.#2
ole32.dll.CoUninitialize
ole32.dll.CoRevokeInitializeSpy
comctl32.dll.#388
oleaut32.dll.#500
ws2_32.dll.#23
ws2_32.dll.#21
ws2_32.dll.WSAIoctl
ws2_32.dll.#3
ws2_32.dll.#116
iphlpapi.dll.NotifyIpInterfaceChange
iphlpapi.dll.NotifyUnicastIpAddressChange
api-ms-win-downlevel-ole32-l1-1-0.dll.CoInitializeEx
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventWrite
api-ms-win-downlevel-ole32-l1-1-0.dll.CoCreateInstance
iphlpapi.dll.GetAdaptersAddresses
ws2_32.dll.GetAddrInfoW
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.DllGetClassObject
oleaut32.dll.DllCanUnloadNow
advapi32.dll.RegOpenKeyW
iphlpapi.dll.ConvertInterfaceGuidToLuid
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
api-ms-win-downlevel-ole32-l1-1-0.dll.StringFromIID
api-ms-win-downlevel-ole32-l1-1-0.dll.CoUninitialize
ws2_32.dll.#5
shlwapi.dll.UrlGetPartW
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpSetTimeouts
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpCrackUrl
shlwapi.dll.StrCmpNW
cryptbase.dll.SystemFunction001
cryptbase.dll.SystemFunction002
cryptbase.dll.SystemFunction003
cryptbase.dll.SystemFunction004
cryptbase.dll.SystemFunction005
cryptbase.dll.SystemFunction028
cryptbase.dll.SystemFunction029
cryptbase.dll.SystemFunction034
cryptbase.dll.SystemFunction040
cryptbase.dll.SystemFunction041
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpGetDefaultProxyConfiguration
winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
ole32.dll.StringFromIID
nsi.dll.NsiAllocateAndGetTable
cfgmgr32.dll.CM_Open_Class_Key_ExW
iphlpapi.dll.GetIfEntry2
nsi.dll.NsiFreeTable
sechost.dll.ConvertSidToStringSidW
profapi.dll.#104
winhttp.dll.WinHttpSendRequest
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#9
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.WSARecv
ws2_32.dll.WSASend
api-ms-win-downlevel-ole32-l1-1-0.dll.CoSetProxyBlanket
ole32.dll.ObjectStublessClient10
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegEnumKeyExW
winhttp.dll.WinHttpReceiveResponse
winhttp.dll.WinHttpQueryHeaders
shlwapi.dll.StrStrIW
winhttp.dll.WinHttpQueryDataAvailable
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpCloseHandle
rpcrt4.dll.RpcBindingFree
ws2_32.dll.#22
"C:\Users\Louise\AppData\Local\Temp\COVID-19994872372632.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Users\Louise\AppData\Local\Temp\COVID-19994872372632.exe"

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x004014c8 0x0001525a 0x0001525a 4.0 2009-12-26 17:19:50 c724fdcf7aa8aa639f1dccc3a53595c7 c7a96f37b007cf4f7f5c82f1a79ac808 728f05a81a56f1561d4dae52249a1909

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001000 0x0000f07c 0x00010000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.83
.data 0x00011000 0x00011000 0x00000e8c 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x00012000 0x00012000 0x0000157c 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.14

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x000123c4 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.11 None
RT_ICON 0x000123c4 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.11 None
RT_ICON 0x000123c4 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.11 None
RT_GROUP_ICON 0x00012394 0x00000030 LANG_NEUTRAL SUBLANG_NEUTRAL 3.07 None
RT_VERSION 0x00012150 0x00000244 LANG_CATALAN SUBLANG_DEFAULT 3.22 None

Imports

0x401000 None
0x401004 None
0x401008 _CIcos
0x40100c _adj_fptan
0x401010 __vbaVarMove
0x401014 __vbaFreeVar
0x401018 __vbaStrVarMove
0x40101c __vbaFreeVarList
0x401020 _adj_fdiv_m64
0x401024 None
0x401028 __vbaFreeObjList
0x40102c None
0x401030 _adj_fprem1
0x401034 __vbaStrCat
0x401038 None
0x40103c None
0x401044 None
0x401048 _adj_fdiv_m32
0x40104c None
0x401050 None
0x401054 None
0x401058 __vbaObjSet
0x40105c _adj_fdiv_m16i
0x401060 _adj_fdivr_m16i
0x401064 None
0x401068 __vbaFpR8
0x40106c _CIsin
0x401070 __vbaChkstk
0x401074 EVENT_SINK_AddRef
0x401078 None
0x40107c __vbaStrCmp
0x401080 __vbaVarTstEq
0x401084 None
0x401088 None
0x40108c None
0x401090 __vbaCastObjVar
0x401094 None
0x401098 _adj_fpatan
0x40109c None
0x4010a0 EVENT_SINK_Release
0x4010a4 __vbaUI1I2
0x4010a8 _CIsqrt
0x4010b0 __vbaExceptHandler
0x4010b4 None
0x4010b8 _adj_fprem
0x4010bc _adj_fdivr_m64
0x4010c0 None
0x4010c4 None
0x4010c8 __vbaFPException
0x4010cc None
0x4010d0 _CIlog
0x4010d4 __vbaNew2
0x4010d8 _adj_fdiv_m32i
0x4010dc _adj_fdivr_m32i
0x4010e0 __vbaStrCopy
0x4010e4 __vbaFreeStrList
0x4010e8 None
0x4010ec _adj_fdivr_m32
0x4010f0 _adj_fdiv_r
0x4010f4 None
0x4010f8 __vbaI4Var
0x4010fc None
0x401100 None
0x401104 None
0x401108 __vbaVarDup
0x40110c None
0x401114 _CIatan
0x401118 __vbaStrMove
0x40111c __vbaUI1Str
0x401120 __vbaR8IntI4
0x401124 _allmul
0x401128 None
0x40112c _CItan
0x401130 None
0x401134 None
0x401138 _CIexp
0x40113c __vbaFreeStr
0x401140 __vbaFreeObj

!This program cannot be run in DOS mode.
.text
`.data
.rsrc
MSVBVM60.DLL
VRELSE
Pejamol5
specialuddan
"Exif
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
O\mSTXZf
hmq{io
oj>ojtq
I%I$~Y
I+N;?
~oje^
Eu3X[
`O:d_
9>V|}
SE[[{
T.dY.
Q[ky6
ui.ty
x~I4[VY
>|WIk
'q$2-
Yl4H.
8~&|O
2[]\/
=RFy<
Kvi7o
H$_5S
sm#mm
Gc}ukoy
Z+}V%m
%@[ls
{M6}6Q
v}6QZL7
{M6H{]
zB#\{M
{M6f+
{MYC{L
v4sM^f
m'1{i
{M'1{O
}$y/i
e^}>mZ
{MN#cM
{M-qwA
{M/q{A
{M%6c
B"V{M
EZM[M
{M'1{E
{MYCgL
{MYA{E
}&m'5{
{MYCcL
};]%6;
+'Y1;
{MOV{M
m)sWL
Zy>)O,~M
B"C{M
}6U6L
{M^L|
Y{KOW
IzHcq4
>:+TZ&
IzHcq4
>:+TZ&
IzHcq
Z4sM-
%7y+%
L~}3UZ
{M6vE
{M6};A6};Y^}s
Z}{tn
v}#eZu
v};]d
{M'0{]
{M6}?i
B"L{M
B"{{M
6X?H9
v}(DZu
}3]OFzM
0?^Y5
tHe;U
1?^[;U
{0S1{]
/?zT?
3_Jiz=
Kj#Q$
~ZQ/S
._6I%
<Egyu&
[=Yn5H
huKth
k?/t?=:
}t7^e
<Qqmk2
y$k$v
3-tS1
i4=SZ
DRKq/
8Ws=~
y.#o>T
x~I?w
_5[sm
kK]>YW~
Coq,s
U~_)~o
x^7I7,
]I4}/P
x]y_:
333333334
eUUUUW
951015=
%),//,)$
/96-*1H
$,6981)
MGB?>>ABFL
specialuddan
Check1
BRUSEBADESEM
niaari
Option3
TINAAPPLICA
Option2
indeciduat
Option1
Line2
Line1
VB5!6&*
HERON
VRELSE
VRELSE
VRELSE
Pejamol5
Elbenepigl
fodboldur
PSYCHOMETERA
Artmazum
anapterygot
SNITV
Majest
Ophio1
Roste2
Vainer
Noncommens4
TINAAPPLICA
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Check1
indeciduat
niaari
LYNNEDSLAGENE
kneeing
Bottomlessly
Deathcup
CROSSABILITY
kawaka
VISERENDE
Uanvendeliges
BRUGERANGIVNE
OLDFRUER
facsim
Eftergrelse3
VBA6.DLL
__vbaFpR8
__vbaVarMove
__vbaUI1Str
__vbaVarDup
__vbaFreeObjList
__vbaFreeObj
__vbaStrVarMove
__vbaFreeVarList
__vbaVarTstEq
__vbaFreeStr
__vbaStrCopy
__vbaUI1I2
__vbaCastObjVar
__vbaObjSet
__vbaHresultCheckObj
__vbaNew2
__vbaVarLateMemCallLd
__vbaFreeVar
__vbaFreeStrList
__vbaStrCat
__vbaStrMove
__vbaStrCmp
__vbaI4Var
__vbaR8IntI4
Kystklima
Volstead5
PHTHIRIUS
Solod
Larvicidal
Foruroligelserne5
UNCONTEMPTIBLY
INSTRUKTIONSKURSUS
Vngerne
Tilhrendes4
Dveskolens8
Servicefunktioners5
EKSEKUTION
Diktere1
CHEFDOM
Lornness7
RANVEIG
Forpligtelseserklrings
metea
Irradiate5
Amuck7
BRANIFF
Bestvlede6
reaccelerated
Oinks
surstyle
sammenstds
refractional
TOTALERS
brdstudiers
Merling8
SATANIZE
DONNER
Driftsikkert6
Plastiskes9
VENSTRELINEAER
Skovhugsterne1
Heautomorphism1
Whoreishly
Bryggerkedels9
tH9=
tj9=
ty9=
@tp9=
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaStrVarMove
__vbaFreeVarList
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaStrCat
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaObjSet
_adj_fdiv_m16i
_adj_fdivr_m16i
__vbaFpR8
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaStrCmp
__vbaVarTstEq
__vbaCastObjVar
_adj_fpatan
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
_CIlog
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaI4Var
__vbaVarDup
__vbaVarLateMemCallLd
_CIatan
__vbaStrMove
__vbaUI1Str
__vbaR8IntI4
_allmul
_CItan
_CIexp
__vbaFreeStr
__vbaFreeObj
951015=
%),//,)$
/96-*1H
$,6981)
MGB?>>ABFL
eUUUUW
333333334
/ P6pL
,/KPip
/-P?pR
L3kOpEkLYZppyTY9i0RZwqFI8r197
Spiralsnoet6
somatological
annelides
Jurata
Sejrvindings
Upshoot3
KOMMUNALBESTYRELSE
aflvningerne
CONTAINMENT
CANCANENS
KATJES
medicean
FLERRIED
OLIGIST
Coatninger
Fodterapeuters
startbogstavs
Caponized9
Blokfljternes
TALVRDIEN
harpist
:20:2
Tuberculomas
Polydaemonist5
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040304B0
LegalCopyright
Internal
LegalTrademarks
Internal
ProductName
VRELSE
FileVersion
ProductVersion
InternalName
HERON
OriginalFilename
HERON.exe
/ P6pL
,/KPip
/-P?pR

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Clean FireEye Clean
CAT-QuickHeal Clean McAfee Fareit-FST!811D4E97242C Cylance Unsafe
Zillya Clean SUPERAntiSpyware Clean Sangfor Malware
K7AntiVirus Clean Alibaba Clean K7GW Clean
Cybereason Clean Arcabit Clean TrendMicro Clean
Baidu Clean Cyren Clean Symantec Clean
TotalDefense Clean APEX Malicious Avast Clean
ClamAV Clean Kaspersky UDS:DangerousObject.Multi.Generic BitDefender Clean
NANO-Antivirus Clean Paloalto Clean AegisLab Clean
Rising Downloader.Guloader!1.C738 (CLOUD) Ad-Aware Clean Emsisoft Clean
Comodo Clean F-Secure Clean DrWeb Clean
VIPRE Clean Invincea Clean McAfee-GW-Edition Clean
Fortinet Clean Trapmine malicious.moderate.ml.score CMC Clean
Sophos Clean SentinelOne DFI - Suspicious PE F-Prot Clean
Jiangmin Clean Webroot Clean Avira Clean
MAX Clean Antiy-AVL Clean Kingsoft Clean
Endgame malicious (high confidence) Microsoft PWS:Win32/Fareit.AB!MTB ViRobot Clean
ZoneAlarm UDS:DangerousObject.Multi.Generic Avast-Mobile Clean AhnLab-V3 Clean
Acronis Clean ALYac Clean TACHYON Clean
VBA32 Clean Malwarebytes Clean Zoner Clean
ESET-NOD32 a variant of Win32/Injector.EMGX TrendMicro-HouseCall Clean Tencent Clean
Yandex Clean Ikarus Clean eGambit Unsafe.AI_Score_100%
GData Clean BitDefenderTheta Gen:[email protected] AVG Clean
Panda Clean CrowdStrike win/malicious_confidence_80% (W) Qihoo-360 Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 51.145.123.29 [VT] United Kingdom
N 3.208.218.1 [VT] United States
Y 192.124.249.23 [VT] United States
Y 13.107.42.13 [VT] United States
N 13.107.42.12 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.1.9 49210 13.107.42.12 g41zxq.ch.files.1drv.com 443
192.168.1.9 49215 13.107.42.12 g41zxq.ch.files.1drv.com 443
192.168.1.9 49218 13.107.42.12 g41zxq.ch.files.1drv.com 443
192.168.1.9 49221 13.107.42.12 g41zxq.ch.files.1drv.com 443
192.168.1.9 49225 13.107.42.12 g41zxq.ch.files.1drv.com 443
192.168.1.9 49228 13.107.42.12 g41zxq.ch.files.1drv.com 443
192.168.1.9 49214 13.107.42.13 443
192.168.1.9 49220 13.107.42.13 443
192.168.1.9 49227 13.107.42.13 443
192.168.1.9 49173 13.107.42.23 443
192.168.1.9 49175 13.107.42.23 443
192.168.1.9 49187 192.124.249.23 80
192.168.1.9 49198 192.124.249.23 80
192.168.1.9 49192 192.124.249.31 80
192.168.1.9 49183 3.208.218.1 rebrand.ly 443
192.168.1.9 49197 3.208.218.1 rebrand.ly 443
192.168.1.9 49203 3.208.218.1 rebrand.ly 443
192.168.1.9 49213 3.208.218.1 rebrand.ly 443
192.168.1.9 49216 3.208.218.1 rebrand.ly 443
192.168.1.9 49219 3.208.218.1 rebrand.ly 443
192.168.1.9 49226 3.208.218.1 rebrand.ly 443
192.168.1.9 49229 3.208.218.1 rebrand.ly 443
192.168.1.9 49721 52.114.132.22 26668
192.168.1.9 3022 52.114.132.22 38530
192.168.1.9 49222 52.114.132.22 443
192.168.1.9 49223 93.184.220.29 80

UDP

Source Source Port Destination Destination Port
192.168.1.9 137 192.168.1.255 137
192.168.1.9 51751 8.8.8.8 53
192.168.1.9 53599 8.8.8.8 53
192.168.1.9 54190 8.8.8.8 53
192.168.1.9 54609 8.8.8.8 53
192.168.1.9 55233 8.8.8.8 53
192.168.1.9 55319 8.8.8.8 53
192.168.1.9 57309 8.8.8.8 53
192.168.1.9 59058 8.8.8.8 53
192.168.1.9 59225 8.8.8.8 53
192.168.1.9 62770 8.8.8.8 53
192.168.1.9 63630 8.8.8.8 53
192.168.1.9 64185 8.8.8.8 53
192.168.1.9 64674 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
rebrand.ly [VT] A 3.208.218.1 [VT] 35.171.123.77 [VT]
g41zxq.ch.files.1drv.com [VT] A 13.107.42.12 [VT] 13.107.42.12 [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-06-05 14:14:25.348 192.168.1.9 [VT] 49172 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:14:25.475 192.168.1.9 [VT] 49176 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:14:25.475 192.168.1.9 [VT] 49174 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:14:25.486 192.168.1.9 [VT] 49175 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:14:25.756 192.168.1.9 [VT] 49173 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-06-05 14:14:25.471 192.168.1.9 [VT] 49172 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:14:25.593 192.168.1.9 [VT] 49175 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:14:25.636 192.168.1.9 [VT] 49176 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:14:25.691 192.168.1.9 [VT] 49174 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:14:25.837 192.168.1.9 [VT] 49173 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:14:48.273 192.168.1.9 [VT] 49183 3.208.218.1 [VT] 443 OU=Domain Control Validated, CN=rebrand.ly 6d:36:e3:1b:3d:d4:28:b8:ac:da:59:6b:cb:31:4a:01:b5:8f:9b:44 TLS 1.2
2020-06-05 14:14:54.851 192.168.1.9 [VT] 49197 3.208.218.1 [VT] 443 TLS 1.2
2020-06-05 14:14:56.766 192.168.1.9 [VT] 49203 3.208.218.1 [VT] 443 TLS 1.2
2020-06-05 14:14:58.433 192.168.1.9 [VT] 49206 13.107.42.13 [VT] 443 CN=onedrive.com 98:1a:ce:12:3c:76:27:2a:c4:56:a3:93:77:3c:27:fe:22:fc:ba:19 TLS 1.2
2020-06-05 14:15:01.766 192.168.1.9 [VT] 49210 13.107.42.12 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com 57:ec:78:dd:17:81:29:d9:fb:38:23:29:00:5e:fd:3c:47:2b:f8:65 TLS 1.2
2020-06-05 14:15:14.761 192.168.1.9 [VT] 49213 3.208.218.1 [VT] 443 TLS 1.2
2020-06-05 14:15:16.100 192.168.1.9 [VT] 49214 13.107.42.13 [VT] 443 CN=onedrive.com 98:1a:ce:12:3c:76:27:2a:c4:56:a3:93:77:3c:27:fe:22:fc:ba:19 TLS 1.2
2020-06-05 14:15:18.067 192.168.1.9 [VT] 49215 13.107.42.12 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com 57:ec:78:dd:17:81:29:d9:fb:38:23:29:00:5e:fd:3c:47:2b:f8:65 TLS 1.2
2020-06-05 14:15:42.956 192.168.1.9 [VT] 49216 3.208.218.1 [VT] 443 TLS 1.2
2020-06-05 14:15:44.258 192.168.1.9 [VT] 49217 13.107.42.13 [VT] 443 CN=onedrive.com 98:1a:ce:12:3c:76:27:2a:c4:56:a3:93:77:3c:27:fe:22:fc:ba:19 TLS 1.2
2020-06-05 14:15:46.172 192.168.1.9 [VT] 49218 13.107.42.12 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com 57:ec:78:dd:17:81:29:d9:fb:38:23:29:00:5e:fd:3c:47:2b:f8:65 TLS 1.2
2020-06-05 14:15:58.627 192.168.1.9 [VT] 49219 3.208.218.1 [VT] 443 TLS 1.2
2020-06-05 14:15:59.964 192.168.1.9 [VT] 49220 13.107.42.13 [VT] 443 CN=onedrive.com 98:1a:ce:12:3c:76:27:2a:c4:56:a3:93:77:3c:27:fe:22:fc:ba:19 TLS 1.2
2020-06-05 14:16:02.182 192.168.1.9 [VT] 49221 13.107.42.12 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com 57:ec:78:dd:17:81:29:d9:fb:38:23:29:00:5e:fd:3c:47:2b:f8:65 TLS 1.2
2020-06-05 14:16:08.146 192.168.1.9 [VT] 49222 52.114.132.22 [VT] 443 CN=*.events.data.microsoft.com 1a:c2:39:ff:84:fe:1a:c9:81:f5:45:9a:d0:a0:f2:66:d1:8c:38:c9 TLS 1.2
2020-06-05 14:16:28.627 192.168.1.9 [VT] 49224 13.107.42.13 [VT] 443 CN=onedrive.com 98:1a:ce:12:3c:76:27:2a:c4:56:a3:93:77:3c:27:fe:22:fc:ba:19 TLS 1.2
2020-06-05 14:16:30.408 192.168.1.9 [VT] 49225 13.107.42.12 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com 57:ec:78:dd:17:81:29:d9:fb:38:23:29:00:5e:fd:3c:47:2b:f8:65 TLS 1.2
2020-06-05 14:17:08.018 192.168.1.9 [VT] 49226 3.208.218.1 [VT] 443 OU=Domain Control Validated, CN=rebrand.ly 6d:36:e3:1b:3d:d4:28:b8:ac:da:59:6b:cb:31:4a:01:b5:8f:9b:44 TLS 1.2
2020-06-05 14:17:09.924 192.168.1.9 [VT] 49227 13.107.42.13 [VT] 443 CN=onedrive.com 98:1a:ce:12:3c:76:27:2a:c4:56:a3:93:77:3c:27:fe:22:fc:ba:19 TLS 1.2
2020-06-05 14:17:12.028 192.168.1.9 [VT] 49228 13.107.42.12 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com 57:ec:78:dd:17:81:29:d9:fb:38:23:29:00:5e:fd:3c:47:2b:f8:65 TLS 1.2
2020-06-05 14:17:24.543 192.168.1.9 [VT] 49229 3.208.218.1 [VT] 443 TLS 1.2

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-06-05 14:14:49.898 192.168.1.9 [VT] 49184 93.184.221.240 [VT] 80 200 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8ce26bf9a81d29b9 application/vnd.ms-cab-compressed Microsoft-CryptoAPI/6.1 None 6894
2020-06-05 14:14:50.852 192.168.1.9 [VT] 49187 192.124.249.23 [VT] 80 200 ocsp.godaddy.com [VT] //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1697
2020-06-05 14:14:51.504 192.168.1.9 [VT] 49187 192.124.249.23 [VT] 80 200 ocsp.godaddy.com [VT] //MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1731
2020-06-05 14:14:51.792 192.168.1.9 [VT] 49190 192.124.249.23 [VT] 80 200 ocsp.godaddy.com [VT] //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCG4cr1RWVQ3%2B application/ocsp-response Microsoft-CryptoAPI/6.1 None 1776
2020-06-05 14:14:51.879 192.168.1.9 [VT] 49191 192.124.249.31 [VT] 80 None crl.godaddy.com [VT] /gdroot-g2.crl None Microsoft-CryptoAPI/6.1 None 0
2020-06-05 14:14:51.879 192.168.1.9 [VT] 49192 192.124.249.31 [VT] 80 None crl.godaddy.com [VT] /gdig2s1-1960.crl None Microsoft-CryptoAPI/6.1 None 0
2020-06-05 14:14:53.605 192.168.1.9 [VT] 49198 192.124.249.23 [VT] 80 200 ocsp.godaddy.com [VT] //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCG4cr1RWVQ3%2B application/ocsp-response Microsoft-CryptoAPI/6.1 None 1776
2020-06-05 14:14:54.758 192.168.1.9 [VT] 49198 192.124.249.23 [VT] 80 200 ocsp.godaddy.com [VT] //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCG4cr1RWVQ3%2B application/ocsp-response Microsoft-CryptoAPI/6.1 None 1776
2020-06-05 14:14:56.035 192.168.1.9 [VT] 49202 192.124.249.31 [VT] 80 200 crl.godaddy.com [VT] /gdig2s1-1960.crl application/pkix-crl Microsoft-CryptoAPI/6.1 None 26213
2020-06-05 14:14:59.812 192.168.1.9 [VT] 49207 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-06-05 14:15:02.718 192.168.1.9 [VT] 49207 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-06-05 14:16:09.302 192.168.1.9 [VT] 49223 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.9 49210 13.107.42.12 g41zxq.ch.files.1drv.com 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49215 13.107.42.12 g41zxq.ch.files.1drv.com 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49218 13.107.42.12 g41zxq.ch.files.1drv.com 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49221 13.107.42.12 g41zxq.ch.files.1drv.com 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49225 13.107.42.12 g41zxq.ch.files.1drv.com 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49228 13.107.42.12 g41zxq.ch.files.1drv.com 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49206 13.107.42.13 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49214 13.107.42.13 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49217 13.107.42.13 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49220 13.107.42.13 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49224 13.107.42.13 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49227 13.107.42.13 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49172 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49173 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49174 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49175 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49176 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49183 3.208.218.1 rebrand.ly 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49197 3.208.218.1 rebrand.ly 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49203 3.208.218.1 rebrand.ly 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49213 3.208.218.1 rebrand.ly 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49216 3.208.218.1 rebrand.ly 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49219 3.208.218.1 rebrand.ly 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49226 3.208.218.1 rebrand.ly 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49229 3.208.218.1 rebrand.ly 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.9 49222 52.114.132.22 443 d124ae14809abde3528a479fe01a12bd unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
JSON Report Download
Defense Evasion Privilege Escalation Persistence
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1045 - Software Packing
    • Signature - packer_entropy
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1060 - Registry Run Keys / Startup Folder
    • Signature - persistence_autorun

    Processing ( 9.52 seconds )

    • 5.279 Suricata
    • 2.508 NetworkAnalysis
    • 0.665 BehaviorAnalysis
    • 0.499 Static
    • 0.212 VirusTotal
    • 0.136 CAPE
    • 0.08 AnalysisInfo
    • 0.06 Dropped
    • 0.057 Deduplicate
    • 0.011 TargetInfo
    • 0.006 peid
    • 0.005 Debug
    • 0.002 Strings

    Signatures ( 0.5670000000000002 seconds )

    • 0.103 antiav_detectreg
    • 0.038 infostealer_ftp
    • 0.035 territorial_disputes_sigs
    • 0.022 infostealer_im
    • 0.022 ransomware_files
    • 0.021 antianalysis_detectreg
    • 0.018 antivm_generic_disk
    • 0.017 stealth_timeout
    • 0.016 api_spamming
    • 0.016 decoy_document
    • 0.012 NewtWire Behavior
    • 0.012 masquerade_process_name
    • 0.011 bootkit
    • 0.011 antivm_vbox_keys
    • 0.011 ransomware_extensions
    • 0.01 antiav_detectfile
    • 0.009 mimics_filetime
    • 0.009 infostealer_mail
    • 0.008 virus
    • 0.007 antidbg_windows
    • 0.007 reads_self
    • 0.007 antivm_vmware_keys
    • 0.006 persistence_autorun
    • 0.006 stealth_file
    • 0.006 antianalysis_detectfile
    • 0.006 infostealer_bitcoin
    • 0.005 antivm_generic_scsi
    • 0.005 hancitor_behavior
    • 0.005 antivm_parallels_keys
    • 0.005 antivm_xen_keys
    • 0.005 modify_proxy
    • 0.004 antivm_vbox_files
    • 0.004 geodo_banking_trojan
    • 0.003 antiav_avast_libs
    • 0.003 antivm_generic_diskreg
    • 0.003 antivm_vpc_keys
    • 0.003 browser_security
    • 0.002 Doppelganging
    • 0.002 InjectionCreateRemoteThread
    • 0.002 antiemu_wine_func
    • 0.002 antivm_generic_services
    • 0.002 antivm_vbox_libs
    • 0.002 betabot_behavior
    • 0.002 dynamic_function_loading
    • 0.002 exec_crash
    • 0.002 infostealer_browser
    • 0.002 injection_createremotethread
    • 0.002 kibex_behavior
    • 0.002 malicious_dynamic_function_loading
    • 0.002 recon_programs
    • 0.002 sets_autoconfig_url
    • 0.002 tinba_behavior
    • 0.002 bypass_firewall
    • 0.002 disables_browser_warn
    • 0.002 qulab_files
    • 0.002 network_torgateway
    • 0.001 antiav_bitdefender_libs
    • 0.001 antiav_bullgaurd_libs
    • 0.001 antiav_emsisoft_libs
    • 0.001 antiav_qurb_libs
    • 0.001 antiav_apioverride_libs
    • 0.001 antiav_nthookengine_libs
    • 0.001 antisandbox_sboxie_libs
    • 0.001 antisandbox_sunbelt_libs
    • 0.001 uac_bypass_eventvwr
    • 0.001 dridex_behavior
    • 0.001 exploit_getbasekerneladdress
    • 0.001 exploit_gethaldispatchtable
    • 0.001 hawkeye_behavior
    • 0.001 infostealer_browser_password
    • 0.001 kovter_behavior
    • 0.001 network_anomaly
    • 0.001 network_tor
    • 0.001 blackrat_registry_keys
    • 0.001 rat_nanocore
    • 0.001 OrcusRAT Behavior
    • 0.001 shifu_behavior
    • 0.001 stealth_network
    • 0.001 antidbg_devices
    • 0.001 antivm_xen_keys
    • 0.001 antivm_generic_bios
    • 0.001 antivm_generic_system
    • 0.001 antivm_hyperv_keys
    • 0.001 antivm_vmware_files
    • 0.001 ketrican_regkeys
    • 0.001 browser_addon
    • 0.001 darkcomet_regkeys
    • 0.001 predatorthethief_files
    • 0.001 network_dns_opennic
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 warzonerat_regkeys
    • 0.001 recon_fingerprint
    • 0.001 remcos_regkeys

    Reporting ( 16.258 seconds )

    • 15.867 BinGraph
    • 0.269 MITRE_TTPS
    • 0.122 PCAP2CERT